This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch 3.9.x in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 913a4ac3e63bf3696c4557119e6c0c806d047db2 Author: Benoit TELLIER <[email protected]> AuthorDate: Tue Feb 17 18:32:49 2026 +0100 JAMES-4171 Use a separated hook (#2941) --- docs/modules/servers/partials/configure/smtp.adoc | 2 +- .../sample-configuration/smtpserver.xml | 1 + .../sample-configuration/smtpserver.xml | 3 ++ .../jpa-app/sample-configuration/smtpserver.xml | 1 + .../sample-configuration/smtpserver.xml | 3 ++ .../memory-app/sample-configuration/smtpserver.xml | 1 + .../apache/james/smtpserver/AuthRequiredHook.java | 50 ++++++++++++++++++++++ .../james/smtpserver/CoreCmdHandlerLoader.java | 1 + .../SenderAuthIdentifyVerificationHook.java | 4 -- src/site/xdoc/server/config-smtp-lmtp.xml | 2 +- 10 files changed, 62 insertions(+), 6 deletions(-) diff --git a/docs/modules/servers/partials/configure/smtp.adoc b/docs/modules/servers/partials/configure/smtp.adoc index f6d826a2f8..5c794bacdf 100644 --- a/docs/modules/servers/partials/configure/smtp.adoc +++ b/docs/modules/servers/partials/configure/smtp.adoc @@ -105,7 +105,7 @@ can be used to enforce strong authentication mechanisms. Note that if false (legacy value and default for backward compatibility) then unauthenticated senders are allowed but limited by sender verification (prevent spoofing) and relaying limits (must be authenticated to relay). -We encourage setting this value to true on submission ports (465 + 587). +We encourage setting this value to true on submission ports (465 + 587). MUST be set to false on port 25 or for any port with MX external mail receival role. Please note that `authorizedAddresses` are considered authenticated. diff --git a/server/apps/distributed-app/sample-configuration/smtpserver.xml b/server/apps/distributed-app/sample-configuration/smtpserver.xml index 41f66dc318..3ad5f2b42f 100644 --- a/server/apps/distributed-app/sample-configuration/smtpserver.xml +++ b/server/apps/distributed-app/sample-configuration/smtpserver.xml @@ -47,6 +47,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <required>false</required> <requireSSL>false</requireSSL> <plainAuthEnabled>true</plainAuthEnabled> </auth> diff --git a/server/apps/distributed-pop3-app/sample-configuration/smtpserver.xml b/server/apps/distributed-pop3-app/sample-configuration/smtpserver.xml index 5b5d8aa587..6be6b4cb51 100644 --- a/server/apps/distributed-pop3-app/sample-configuration/smtpserver.xml +++ b/server/apps/distributed-pop3-app/sample-configuration/smtpserver.xml @@ -37,6 +37,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <required>false</required> <requireSSL>false</requireSSL> <plainAuthEnabled>true</plainAuthEnabled> </auth> @@ -66,6 +67,7 @@ <announce>forUnauthorizedAddresses</announce> <requireSSL>true</requireSSL> <plainAuthEnabled>true</plainAuthEnabled> + <required>true</required> <!-- Sample OIDC configuration --> <!-- <oidc> @@ -103,6 +105,7 @@ <announce>forUnauthorizedAddresses</announce> <requireSSL>true</requireSSL> <plainAuthEnabled>true</plainAuthEnabled> + <required>true</required> <!-- Sample OIDC configuration --> <!-- <oidc> diff --git a/server/apps/jpa-app/sample-configuration/smtpserver.xml b/server/apps/jpa-app/sample-configuration/smtpserver.xml index aa69f74f1c..cb614febbf 100644 --- a/server/apps/jpa-app/sample-configuration/smtpserver.xml +++ b/server/apps/jpa-app/sample-configuration/smtpserver.xml @@ -48,6 +48,7 @@ <auth> <announce>never</announce> <requireSSL>false</requireSSL> + <required>false</required> <plainAuthEnabled>true</plainAuthEnabled> </auth> <authorizedAddresses>127.0.0.0/8</authorizedAddresses> diff --git a/server/apps/jpa-smtp-app/sample-configuration/smtpserver.xml b/server/apps/jpa-smtp-app/sample-configuration/smtpserver.xml index cd8b82c104..4f9057d93a 100644 --- a/server/apps/jpa-smtp-app/sample-configuration/smtpserver.xml +++ b/server/apps/jpa-smtp-app/sample-configuration/smtpserver.xml @@ -47,6 +47,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>never</announce> + <required>false</required> <requireSSL>false</requireSSL> <plainAuthEnabled>true</plainAuthEnabled> </auth> @@ -84,6 +85,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <required>true</required> <requireSSL>true</requireSSL> <plainAuthEnabled>true</plainAuthEnabled> <!-- Sample OIDC configuration --> @@ -131,6 +133,7 @@ <connectionLimitPerIP>0</connectionLimitPerIP> <auth> <announce>forUnauthorizedAddresses</announce> + <required>true</required> <requireSSL>true</requireSSL> <plainAuthEnabled>true</plainAuthEnabled> <!-- Sample OIDC configuration --> diff --git a/server/apps/memory-app/sample-configuration/smtpserver.xml b/server/apps/memory-app/sample-configuration/smtpserver.xml index aa69f74f1c..34e21b9637 100644 --- a/server/apps/memory-app/sample-configuration/smtpserver.xml +++ b/server/apps/memory-app/sample-configuration/smtpserver.xml @@ -46,6 +46,7 @@ <connectionLimit>0</connectionLimit> <connectionLimitPerIP>0</connectionLimitPerIP> <auth> + <required>false</required> <announce>never</announce> <requireSSL>false</requireSSL> <plainAuthEnabled>true</plainAuthEnabled> diff --git a/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/AuthRequiredHook.java b/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/AuthRequiredHook.java new file mode 100644 index 0000000000..1a8893610d --- /dev/null +++ b/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/AuthRequiredHook.java @@ -0,0 +1,50 @@ +/**************************************************************** + * Licensed to the Apache Software Foundation (ASF) under one * + * or more contributor license agreements. See the NOTICE file * + * distributed with this work for additional information * + * regarding copyright ownership. The ASF licenses this file * + * to you under the Apache License, Version 2.0 (the * + * "License"); you may not use this file except in compliance * + * with the License. You may obtain a copy of the License at * + * * + * http://www.apache.org/licenses/LICENSE-2.0 * + * * + * Unless required by applicable law or agreed to in writing, * + * software distributed under the License is distributed on an * + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * + * KIND, either express or implied. See the License for the * + * specific language governing permissions and limitations * + * under the License. * + ****************************************************************/ + +package org.apache.james.smtpserver; + +import org.apache.james.core.MaybeSender; +import org.apache.james.protocols.smtp.SMTPRetCode; +import org.apache.james.protocols.smtp.SMTPSession; +import org.apache.james.protocols.smtp.dsn.DSNStatus; +import org.apache.james.protocols.smtp.hook.HookResult; +import org.apache.james.protocols.smtp.hook.HookReturnCode; +import org.apache.james.protocols.smtp.hook.MailHook; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class AuthRequiredHook implements MailHook { + private static final Logger LOGGER = LoggerFactory.getLogger(AuthRequiredHook.class); + protected static final HookResult AUTH_REQUIRED = HookResult.builder() + .hookReturnCode(HookReturnCode.deny()) + .smtpReturnCode(SMTPRetCode.AUTH_REQUIRED) + .smtpDescription(DSNStatus.getStatus(DSNStatus.PERMANENT, DSNStatus.SECURITY_AUTH) + + " Authentication Required") + .build(); + + @Override + public HookResult doMail(SMTPSession session, MaybeSender sender) { + ExtendedSMTPSession nSession = (ExtendedSMTPSession) session; + if (!session.isRelayingAllowed() && !nSession.senderVerificationConfiguration().allowUnauthenticatedSender()) { + LOGGER.info("Authentication is required for sending email (sender: {})", sender.asString()); + return AUTH_REQUIRED; + } + return HookResult.DECLINED; + } +} diff --git a/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/CoreCmdHandlerLoader.java b/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/CoreCmdHandlerLoader.java index 9ce5ef68ab..c0a6c8b9ea 100644 --- a/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/CoreCmdHandlerLoader.java +++ b/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/CoreCmdHandlerLoader.java @@ -64,6 +64,7 @@ public class CoreCmdHandlerLoader implements HandlersPackage { UsersRepositoryAuthHook.class.getName(), AuthRequiredToRelayRcptHook.class.getName(), SenderAuthIdentifyVerificationHook.class.getName(), + AuthRequiredHook.class.getName(), PostmasterAbuseRcptHook.class.getName(), ReceivedDataLineFilter.class.getName(), DataLineJamesMessageHookHandler.class.getName(), diff --git a/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/SenderAuthIdentifyVerificationHook.java b/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/SenderAuthIdentifyVerificationHook.java index 8792e3c629..300b79bc25 100644 --- a/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/SenderAuthIdentifyVerificationHook.java +++ b/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/SenderAuthIdentifyVerificationHook.java @@ -74,10 +74,6 @@ public class SenderAuthIdentifyVerificationHook extends AbstractSenderAuthIdenti @Override public HookResult doCheck(SMTPSession session, MaybeSender sender) { ExtendedSMTPSession nSession = (ExtendedSMTPSession) session; - if (!session.isRelayingAllowed() && !nSession.senderVerificationConfiguration().allowUnauthenticatedSender()) { - LOGGER.info("Authentication is required for sending email (sender: {})", sender.asString()); - return AUTH_REQUIRED; - } if (nSession.senderVerificationConfiguration().mode() == SMTPConfiguration.SenderVerificationMode.STRICT) { return super.doCheck(session, sender); } else if (nSession.senderVerificationConfiguration().mode() == SMTPConfiguration.SenderVerificationMode.RELAXED) { diff --git a/src/site/xdoc/server/config-smtp-lmtp.xml b/src/site/xdoc/server/config-smtp-lmtp.xml index 2471d4c5a7..d6b632734a 100644 --- a/src/site/xdoc/server/config-smtp-lmtp.xml +++ b/src/site/xdoc/server/config-smtp-lmtp.xml @@ -115,7 +115,7 @@ Note that if false (legacy value and default for backward compatibility) then unauthenticated senders are allowed but limited by sender verification (prevent spoofing) and relaying limits (must be authenticated to relay).<br/> - We encourage setting this value to true on submission ports (465 + 587).<br/> + We encourage setting this value to true on submission ports (465 + 587). MUST be set to false on port 25 or for any port with MX external mail receival role.<br/> Please note that `authorizedAddresses` are considered authenticated.</dd> <dt><strong>auth.requireSSL</strong></dt> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
